Re: Are the Discovery Components Done Enough? (Fwd: [security] OpenID Security Best Practices Doc)

2009-06-09 Thread David Fuelling
David, Great questions -- see my thoughts/opinions inline... david On Tue, Jun 9, 2009 at 6:36 PM, David Recordon da...@sixapart.com wrote: Hey David,I've been following some of the discovery work the past few months, but don't have a clear picture if the various components are actually

Re: Are the Discovery Components Done Enough? (Fwd: [security] OpenID Security Best Practices Doc)

2009-06-09 Thread David Fuelling
On Tue, Jun 9, 2009 at 7:09 PM, Breno de Medeiros br...@google.com wrote: If we start the process to form a WG for discovery now, most likely the process would only be completed in 6 months, even if there was considerable agreement and stable technologies to draw from. Right now, there is

Re: Are the Discovery Components Done Enough? (Fwd: [security] OpenID Security Best Practices Doc)

2009-06-09 Thread David Fuelling
Great feedback. I took the liberty to add this to the Discussion Points on the wiki page. http://wiki.openid.net/OpenID-Discovery On Tue, Jun 9, 2009 at 8:43 PM, Allen Tom a...@yahoo-inc.com wrote: My primary concern with changing OpenID Discovery is the upgrade path to the new discovery

Re: New OP-MultiAuth Draft Published

2009-01-19 Thread David Fuelling
. Or at minimum a naming scheme that hilites the commonality .. UAPE :-) paul David Fuelling wrote: For anyone interested, I've put out a 2nd draft of my OP-MultiAuth idea. I think the first draft was pretty confusing, so hopefully this clarifies things a bit more. Wiki Page: http

New OP-MultiAuth Draft Published

2009-01-18 Thread David Fuelling
For anyone interested, I've put out a 2nd draft of my OP-MultiAuth idea. I think the first draft was pretty confusing, so hopefully this clarifies things a bit more. Wiki Page: http://wiki.openid.net/OP-MultiAuth Actual Draft:

Re: [OpenID] DISCUSSION relating to OpenID Discovery 2.1

2008-12-31 Thread David Fuelling
On Tue, Dec 30, 2008 at 7:00 PM, Peter Williams pwilli...@rapattoni.comwrote: I gave up half way through my careful reply, as it was approaching formatting-incomprehensible …to the poor reader trying follow it, point by inset counterpoint. Yes, I encountered the same thing in my responses.

Re: Proposal to form Discovery Working Group

2008-12-27 Thread David Fuelling
On Thu, Dec 25, 2008 at 10:56 AM, Nat Sakimura n-sakim...@nri.co.jp wrote: 2. Separation of OP into Discovery Service and Authentication Service. In the current terminology, OP spans both Discovery Service and Authentication Service. We should be explicit about it. +1. I would like to

Re: non-standard login mechanism

2008-11-17 Thread David Fuelling
Sounds like you're simply mapping a SL UUID to an OpenID, so my opinion would be no, this does not break the spec, so long as the actual OpenID transaction utilizes the OpenID URL that you have on file in the DB. This is very similar to the other discussions going on regarding using an email

Re: [OpenID] OpenID Extension to handle Emails Addresses?

2008-10-30 Thread David Fuelling
On Thu, Oct 30, 2008 at 4:01 PM, Martin Atkins [EMAIL PROTECTED]wrote: David Fuelling wrote: I would even entertain the notion of the OpenID extension doing DNS lookup first, then EAUT, though I need to think more on the topic. Alternatively, maybe we make DNS optional. At this point

Re: OpenID Trusted Authentication Extension

2007-08-27 Thread David Fuelling
John, Have a look at OAuth (http://groups.google.com/group/oauth). I think it's currently a private google group, but it seems like you've given a lot of thought to this type of thing, so I'm sure the group owners would welcome your input. There's a lot of activity going on over there. David

Re: OpenId as API authentication method

2007-07-31 Thread David Fuelling
What is OAuth? The group appears to be private, so is not accessible. david On 7/27/07, John Panzer [EMAIL PROTECTED] wrote: You should probably check out OAuth: http://groups.google.com/group/oauth, and its draft

Re: Do We Agree on the Problem We're Trying to Solve?

2007-06-11 Thread David Fuelling
On 6/11/07, Josh Hoyt [EMAIL PROTECTED] wrote: On 6/8/07, David Fuelling [EMAIL PROTECTED] wrote: If in 50 years, a given canonical URL domain goes away, then couldn't a given OpenId URL owner simply specify a new Canonical URL in his XRDS doc? If I understand the way that David Recordon

Re: Do We Agree on the Problem We're Trying to Solve?

2007-06-08 Thread David Fuelling
Wrt to the problems we're trying to solve, I think that we should define a (C) (which is similar to (A), yet instigated by the user and doesn't trigger an RP recycle) and a (D). In summary: A) Identifier recycling normally in large user-base deployments. i.e. insert big company needs a way to

Re: Do We Agree on the Problem We're Trying to Solve?

2007-06-08 Thread David Fuelling
Assuming I understand things correctly, it seems like what we're calling a canonical URL in this thread is really a pseudo-canonical URL since a given OpenID's XRDS doc is what specifies the Canonical ID. If in 50 years, a given canonical URL domain goes away, then couldn't a given OpenId URL

Re: Questions about IIW Identifier Recycling Table

2007-06-07 Thread David Fuelling
Hey Johnny, Thanks for your clarifications and answers to my questions about [1]. Over the last few days I've been thinking about your Identifier Recycling proposal[2], in addition to other proposals (Tokens, etc). Assuming I understand things correctly, it seems as if a hybrid of the

Re: Questions about IIW Identifier Recycling Table

2007-06-07 Thread David Fuelling
Hey Josh, Thanks for your message and great points. See my thoughts/questions inline. On 6/7/07, Josh Hoyt [EMAIL PROTECTED] wrote: On 6/7/07, David Fuelling [EMAIL PROTECTED] wrote: Over the last few days I've been thinking about your Identifier Recycling proposal[2], in addition

Questions about IIW Identifier Recycling Table

2007-06-05 Thread David Fuelling
I wasn't at IIW, so please bear with me. In reference to the wiki at http://openid.net/wiki/index.php/IIW2007a/Identifier_Recycling, can somebody clarify what some of the terminology means? Specific questions are below. 1.) For URL+Fragment, what is the distinction between private and public?

What Should an OpenId Be? [WAS: RE: Proposal for Modularizing Auth 2.0 Discovery]

2007-02-28 Thread David Fuelling
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gabe Wachob Sent: Wednesday, February 28, 2007 3:02 PM To: 'Drummond Reed'; 'Martin Atkins'; specs@openid.net Subject: Proposal for Modularizing Auth 2.0 Discovery snip Basically, the Discovery Spec

RE: [OpenID] Wiki page: Attempting to document the Email Address as OpenId debate.

2007-02-11 Thread David Fuelling
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Claus Färber http://openid.net/wiki/index.php?title=Debating_Emails_as_OpenIds I'd prefer to call them [EMAIL PROTECTED] OpenIDs. The concept of using this format is not only used for email but also

RE: [OpenID] FW: PROPOSAL: An Extension to transform an EMail Address to an OpenId URL

2007-02-10 Thread David Fuelling
-Original Message- From: Robert Yates [mailto:[EMAIL PROTECTED] For what it's worth I think that this is excellent. Thanks for the positive feedback! A couple of suggestions: 1) You probably should take a look at the URI Template spec [1]. These guys have done a lot of the work

RE: Proposal: SMTP service extension for Yadis discovery

2007-02-05 Thread David Fuelling
-Original Message- From: Dmitry Shechtman [mailto:[EMAIL PROTECTED] Subject: RE: Proposal: SMTP service extension for Yadis discovery there's nothing wrong with transforming an email to an OpenId Endpoint url (using the root domain of the email). That would require a rule for

RE: [OpenID] Questions about Spoofing OpenId

2007-01-23 Thread David Fuelling
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carl Howells Subject: Re: [OpenID] Questions about Spoofing OpenId Some care has to be taken to make sure that direct cross-linking won't work, but that's not too difficult. What do you mean by

RE: [PROPOSAL] Handle http://[EMAIL PROTECTED] Style Identifiers

2006-11-10 Thread David Fuelling
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Martin Atkins Sent: Friday, November 10, 2006 2:41 AM To: [EMAIL PROTECTED] Subject: Re: [PROPOSAL] Handle http://[EMAIL PROTECTED] Style Identifiers I provide email addresses to some of my friends,

RE: Map/Normalize Email Address to IdP/OP URL (Was [PROPOSAL] Handlehttp://[EMAIL PROTECTED] Style Identifiers)

2006-11-10 Thread David Fuelling
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Daugherty # I think that all this discussion about email userid is moving us off # track. My original proposal was that the email maps/normalizes to a # URL of an IdP (the userid is

RE: [PROPOSAL] Handle http://[EMAIL PROTECTED] Style Identifiers

2006-11-09 Thread David Fuelling
with email addresses? -Original Message- From: Hallam-Baker, Phillip [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 08, 2006 4:37 PM To: David Fuelling Cc: specs@openid.net; [EMAIL PROTECTED] Subject: RE: [PROPOSAL] Handle http://[EMAIL PROTECTED] Style Identifiers Please don't map

RE: [PROPOSAL] Handle http://[EMAIL PROTECTED] Style Identifiers

2006-11-09 Thread David Fuelling
Hi Martin, This is interesting. I guess your suggestion (see your msg below) deals with a sub-topic of the whole should email be allowed in the OpenId login form debate, which is this: If email is allowed in the OpenId login form, should the mapping/normalization include the email Userid...OR,

Map/Normalize Email Address to IdP/OP URL (Was [PROPOSAL] Handle http://[EMAIL PROTECTED] Style Identifiers)

2006-11-09 Thread David Fuelling
Hey David, Thanks for your ideas. Some more thoughts below. -Original Message- From: David Nicol [mailto:[EMAIL PROTECTED] Sent: Thursday, November 09, 2006 6:49 PM To: David Fuelling Cc: Martin Atkins; specs@openid.net; [EMAIL PROTECTED] Subject: Re: [PROPOSAL] Handle http

RE: [PROPOSAL] Handle http://[EMAIL PROTECTED] Style Identifiers

2006-11-08 Thread David Fuelling
a user that the Identity URL they type in (e.g., http://aol.com) is not their identity. Both will/would take some education. Thanks! David Fuelling [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Recordon, David Sent: Thursday, October

RE: [PROPOSAL] Handle http://[EMAIL PROTECTED] Style Identifiers

2006-11-08 Thread David Fuelling
Please see my questions/ideas enclosed... Thanks! David Fuelling -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Drummond Reed Sent: Friday, October 20, 2006 1:04 AM To: 'Recordon, David'; specs@openid.net Subject: RE: [PROPOSAL] Handle http

RE: [PROPOSAL] Handle http://[EMAIL PROTECTED] Style Identifiers

2006-11-08 Thread David Fuelling
] Sent: Wednesday, November 08, 2006 1:45 PM To: David Fuelling; specs@openid.net Subject: RE: [PROPOSAL] Handle http://[EMAIL PROTECTED] Style Identifiers Please don't use HTTP this way. That is not the semantics for http URLs. A better scheme would be to use mailto:[EMAIL PROTECTED

RE: [PROPOSAL] Handle http://[EMAIL PROTECTED] Style Identifiers

2006-11-08 Thread David Fuelling
PROTECTED] Sent: Wednesday, November 08, 2006 1:45 PM To: David Fuelling Cc: specs@openid.net Subject: Re: [PROPOSAL] Handle http://[EMAIL PROTECTED] Style Identifiers # So, if in a hypothetical world where we have 4 potential OpenId # values that a user could enter, AND the goal is to reduce

RE: [PROPOSAL] Handle http://[EMAIL PROTECTED] Style Identifiers

2006-11-08 Thread David Fuelling
and encourage them to adopt openid...and here's why. Anyway, this might be a different perspective on whether or not the [oops, your login didn't work] is a bad thing. -Original Message- From: Dick Hardt [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 08, 2006 5:06 PM To: David